Feb 08 2021

4 Critical Security Metrics To Prioritize for Higher Ed

With so many metrics to monitor, how do you determine which are the most critical?

My first boss told me, “You get the resources you need from good stats on your projects.” It’s a reality that guides me in my quest to build an effective security metrics program.

There are three phases to setting up a security metrics program (data collection, analysis and reporting), along with numerous stakeholders involved and affected. With so much on the line, you need to prioritize the most critical analytics. Here’s what a good security metrics reporting package should include. 

1. Operational

Examples of these reports include help desk tickets submitted and completed, security project status, the number of security scans finished and their results, and an inventory of hardware and software connected to your network. Among your audience, these metrics are particularly relevant to your boss, IT management peers and your security team.

MORE ON EDTECH: See how higher ed IT teams are adapting back-office operations to remote work.

2. Incidents

This is the number of reported security incidents and their statuses, such as success or failure, financial and reputational impact, after-action reports, and legal statuses. The target audience for these includes your manager, his or her manager and your board of directors or trustees.

3. Compliance

These metrics show how effective your security controls, services and training are in complying with the security or data standards your organization must adhere to. For these, your most pertinent audience includes management, internal auditors and units involved with regulatory compliance.

4. Executive

These metrics are similar to the compliance metrics, but they also show the value of your security controls, services and training. Additionally, they should show areas that need improvement, along with your progress in meeting your organization’s business goals. 

 

matdesign24/Getty Images